VMware has released a workaround to address a critical zero-day in multiple VMware Workspace One components that allows attackers to execute commands on the host Linux and Windows operating systems using escalated privileges.
Zero-days are publicly disclosed vulnerabilities not yet patched by the vendor. In some cases, zero-days are also actively exploited in the wild or have publicly available proof-of-concept exploits.
Not all versions are vulnerable
The vulnerability tracked as CVE-2020-4006 is a command injection bug — with a 9.1/10 CVSSv3 severity rating — found in the administrative configurator of some releases of VMware Workspace ONE Access, Access Connector, Identity Manager, and Identity Manager Connector.
“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” according to VMware’s advisory.
Product versions affected by the CVE-2020-4006 zero-day include:
- VMware Workspace One Access 20.10 (Linux)
- VMware Workspace One Access 20.01 (Linux)
- VMware Identity Manager 3.3.1 up to 3.3.3 (Linux)
- VMware Identity Manager Connector 3.3.2, 3.3.1 (Linux)
- VMware Identity Manager Connector 3.3.3, 3.3.2, 3.3.1 (Windows)
Temporary workaround available
While VMware is still working on releasing security updates to address the zero-day vulnerability, the company does provide admins with a temporary workaround designed to fully remove the attack vector on affected systems and prevent exploitation of CVE-2020-4006.
The provided workaround applies ONLY to VMware Workspace One Access, VMware Identity Manager, and VMware Identity Manager Connector according to VMware.
“Impacts are limited to functionality performed by this service,” VMware adds. “Configurator-managed setting changes will not be possible while the workaround is in place.”
“If changes are required please revert the workaround following the instructions below, make the required changes and disable again until patches are available. In addition, most of the system diagnostics dashboard will not be displayed.”
Full details on how to implement and revert the workarounds on Linux-based appliances and Windows-based servers are available HERE.
We urges admins and users to apply the workarounds issued by VMware to block attackers from potentially taking over impacted systems.